JP2021528301A - How to determine relay attack, relay attack detector and computer program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To detect a relay attack (relay attack).
A method of determining a relay attack on an authentication system that grants permission to use a resource is to receive a signal from the authentication device and to determine if the signal contains at least two copies of the authentication signal. And determining that it is a relay attack when at least two copies of the authentication signal are identified in the signal.
[Selection diagram] Fig. 1

Description

The present application relates to authentication type wireless communication.

In an authentication system, communication between a mobile transponder and an authorized instance allows the user to use resources (eg, start and drive a car) or access infrastructure (eg, enter a vehicle or building, or go to a computer system). You can be assured that you have permission to access).

As a solution for keyless entry system building access, a key card with so-called Near Field Communication (NFC), which is a passive RFID technology, is used. When the batteryless key card approaches the RFID reader, the RFID reader can give an instruction to unlock the door after detecting the (owner's) authorized card. Due to their passive nature and the radio frequencies used, the reach of these techniques can be limited to a few centimeters (<10 cm).

For vehicles, so-called key fobs are used that actively communicate with the vehicle, which can typically communicate in two frequency ranges of the radio spectrum, low frequency (LF) and ultra high frequency (UHF). However, it may be known that the reach of the system can be extended by applying relay over one or both frequency ranges. Signals arriving from both sides may be received by a relay, amplified and forwarded to their respective other devices such that the actual keychain is a few meters (up to 100 m or more) away from the vehicle. In this way, the system can be compromised and the car can be unlocked when the relay device approaches, even though the key fob itself is not close enough.

Attacks can be evaded by applying round trip time (RTT) measurements that can limit the distance to an upper limit (eg, 10 m) by measuring the propagation time from vehicle to key fob and back to the vehicle. A possible technique for determining propagation time may be ultra-wideband (UWB) transmission, but a frequency hopping system based on carrier phase measurements (and potentially other extended methods) (similar to Bluetooth). It may be. The latter may have the advantage that it can potentially be a low power technology. Here, in the case of communication between the key fob and the vehicle, carrier phase measurement based on frequency hopping is considered, which is effectively based on the measurement of linear phase lamps on the frequency.

There may be an attack method in which the phase of the transmitted wave in each channel is directly changed. This can be countered by using random frequency hopping.

周波数ホッピングキャリアの最小間隔内で位相のラップアラウンドが起こり得る。このラップアラウンドは、原則として、この方法を使用する全ての距離測定値が曖昧になり、直接検出されない可能性がある。 As another attack method, there may be an attack method that utilizes the phase ambiguity at 2π. If the propagation delay _trop is greater than the reciprocal of the minimum spacing of the frequency hopping carriers

Phase wraparound can occur within the minimum spacing of frequency hopping carriers. This wraparound, in principle, may obscure all distance measurements using this method and may not be detected directly.

With respect to the above, the carrier phase based method has the disadvantage of being susceptible to malicious manipulation of the transmitted signal.

Since frequency hopping is based on the carrier phase method, it may be necessary to avoid manipulating the transmitted signal to detect relay attacks to prevent it. Embodiments relate to detecting new attacks on such frequency hopping systems.

One example relates to how to determine a new relay attack against an authentication system that grants permission to use a resource. It receives a signal from the authentication device, determines if at least two copies of the authentication signal are included in the signal, and if at least two copies of the authentication signal can be identified in the signal, a delay signal. It is provided to judge that it is a relay attack based on the echo.

The new relay attack may already be detected by simply checking if two signals are likely to be detected. If two signals, a direct signal and an echo signal, are detected, there may be a relay attack.

Another embodiment further comprises receiving a signal from the authentication device of the vehicle access system.

The described method may be applied to a vehicle having a certification system to reduce the risk of unauthorized use of the vehicle.

In a further embodiment, the steps of determining whether the signal contains at least two copies of the authentication signal include at least power measurement of the signal sample, power calculation of the signal sample, phase step detection of the signal, and of the signal. Includes one of correlation analysis and super-resolution signal analysis.

If the signal contains more than one subcarrier, the detection of the two signals should be done either by measuring the amplitude of the subcarrier signal, or the phase of the subcarrier signal, or by measuring the combination of the amplitude and phase of the subcarrier signal. Can be done. Furthermore, in the case of super-resolution signal analysis, correlation calculation or detection of multiple incident signals at different frequencies may be used. Having several different methods for determining if there are two detected signals can be an opportunity to compare the results of each method. In this way, the results can be verified using at least two methods.

In an additional embodiment, the power measurement of the signal sample involves averaging the signals on multiple subcarriers.

Detection of the two signals can be achieved by averaging the subcarrier signals with respect to their amplitude. If the average value is higher than a predetermined threshold, a new relay attack may be detected. Averaging signals on multiple subcarriers results in a higher signal-to-noise ratio than a single subcarrier signal, a more accurate and reliable value for comparison to a given threshold. Is obtained.

In an optional embodiment, the power calculation of the signal sample comprises compensating for the subcarrier phase between the first and second subcarriers of the signal.

Due to the phase shift between the subcarriers, instead of averaging the subcarrier signals, the relative average phase of the subcarrier signals can be estimated first and then compensated. In this way, a more efficient averaging over multiple signals is achieved with a lower SNR.

According to one example, determining whether the signal contains at least two copies of the authentication signal includes detecting a phase discontinuity.

The phase discontinuity can be detected by phase step detection, where the phase of each subcarrier signal may be related instead of amplitude. Here, the average value may be compared with a predetermined threshold value. A relay attack can be detected if the average phase value can deviate beyond the threshold from the phase determined by the first sample of the received burst. In this way, the relay attack can be detected independently of the amplitude of the corresponding signal.

According to another embodiment, determining whether the signal contains at least two copies of the authentication signal can include combining power measurement and phase step detection.

Here, the detection may be based on both the amplitude and phase of the signal. The use of coupled metrics (amplitude and phase) allows relay attacks to be detected more reliably.

According to a further embodiment, the correlation analysis includes a step of correlating the received subcarrier signal with the transmitting subcarrier signal to determine an intermediate signal and a step of correlating the intermediate signal with the filter sequence.

By taking a double correlation and comparing the obtained metric with a predetermined threshold value, the existence of a new relay attack can be determined with high reliability, and false detection can be avoided.

According to an additional example, super-resolution signal analysis estimates at least one delay in a signal within the critical delay range, calculates the power level for the delay, and the power level sets a predetermined threshold. It includes determining that it is a relay attack when it exceeds.

According to the optional example, the power level is only evaluated for delays within the critical range.

Here, the plurality of incident signals may be detected at different frequencies. A signal having a delay in the critical range may be separated from a signal having a delay outside the critical range. Based on this selection, an algorithm may be applied to determine if the power level can be higher than a predetermined threshold that results in the detection of a relay attack. Less effort is required to assess power levels due to the fact that only delays within a critical predetermined range are further processed.

In an embodiment, the relay attack detector for determining a relay attack determines whether the signal contains a receiver configured to receive a signal from the authentication device and at least two copies of the authentication signal. It comprises a detector configured to do so and a processor configured to determine that it is a relay attack if at least two copies of the authentication signal are identified in the signal.

In another embodiment, the detector is configured to average the signal over multiple subcarriers in order to perform a power measurement of the signal sample.

In a further embodiment, the detector is configured to compensate for the subcarrier phase between the first and second subcarriers of the signal in order to perform a power calculation of the signal sample.

In an additional example, the detector is configured to detect a phase discontinuity to determine if at least two copies of the authentication signal can be included in the signal.

In the optional example, the processor is configured to combine power measurement with phase step detection to detect discontinuity.

According to one example, the processor correlates the received subcarrier signal with the transmitted subcarrier signal to determine the intermediate signal, and the intermediate signal with the test filter sequence according to the delay tested to perform the correlation analysis. It is configured to correlate.

According to another embodiment, the detector is configured to detect multiple potential delays in the signal within the critical time range, and the processor is associated with the signal associated with the potential delay having no delay. If the signal has a given power level, it is configured to determine if one of the potential delays is associated with a relay attack.

In another embodiment, the authentication system for granting permission to use the resource comprises a relay attack detector, and the processor is further configured to grant permission to use the resource if a new relay attack is not determined. NS.

In an additional example, the vehicle comprises an authentication system configured to allow access to the vehicle.

In a further embodiment, when executed on a processor, a computer program having program code to determine a relay attack on the authentication system triggers execution of the method.

It is a flowchart explaining the method of detecting the relay attack of this disclosure. It is a block diagram which shows the structure of the relay attack detection apparatus of this disclosure. It is a figure which shows the newly proposed attack method based on the echo which introduced the direct signal. It is a figure which shows the impulse response of the proposed relay. It is a figure which shows the signal envelope of a direct signal, an echo signal, and a sum signal without noise at the time of transmission T _0. It is a figure which shows the signal envelope for a large number of subcarrier bursts. FIG. 5 shows a table showing some exemplary data on the direct association between delay, sample at 20 MHz, and distance estimation reduction. It is a figure which visually represented the combined metric.

Various examples are described more fully here with reference to the accompanying drawings in which some examples are shown. In the drawings, the thickness of lines, layers, and / or areas may be exaggerated for clarity.

Thus, further embodiments are possible in a variety of modifications and alternatives, some specific embodiments of which are shown in the drawings and will be described in detail later. However, this detailed description is not limited to the particular embodiments described in further embodiments. Further examples may cover all modifications, equivalents, and alternatives within the scope of this disclosure. Identical or similar numbers refer to similar or similar elements throughout the description of the drawing, which are implemented in the same or modified form when compared to each other while providing the same or similar functionality. obtain.

When an element is referred to as being "connected" or "joined" to another element, the element may be directly connected or joined via one or more intervening elements. It will be understood that it is good. When two elements A and B are combined using "or", this is all possible, A only, B only, like A and B, unless explicitly or implicitly defined. It should be understood to disclose the combination. An alternative expression for the same combination is "at least one of A and B" or "A and / or B". The same applies mutatis mutandis to combinations of two or more elements.

The terms used herein to describe a particular embodiment are not intended to limit further embodiments. To perform the same function whenever singular forms such as "a", "an" and "the" are used and only a single element is not explicitly or implicitly defined as required. You can also use multiple elements. Similarly, further examples can perform the same function using a single element or processing entity, as described below as being performed using multiple elements. In addition, the terms "provide", "contain", and / or "contain", when used, specify the presence of the stated features, integers, steps, actions, processes, actions, elements and / or components. It should be understood that does not preclude the existence or addition of one or more other features, integers, steps, actions, processes, actions, elements, components, and / or any group thereof.

Unless otherwise defined, all terms (including technical and scientific terms) are used herein in their usual sense of the technical field to which the example belongs.

In order to illustrate the new underlying attack in more detail, FIG. 3 schematically illustrates a new relay attack when a new relay attack can be detected. A new relay attack may add a replica (echo) of the signal to a signal that can be delayed by a delay Δτ with respect to the direct signal component. The relative delay Δτ can approach the wraparound delay. (Or twice this value if only one side of the link can be manipulated)

The second signal may be stronger (or more amplified) than the direct signal. The resulting superposition of both signals, if applied correctly, will reduce the delay estimate and, as a result, the distance estimate. The latter can maliciously undermine attempts to limit distance, as proposed for general relay attacks.

This method can reuse a replica of the transmitted signal and therefore does not have to be detected by zero frame without signal transmission. It may be suggested to use signal analysis performed on the transmitted non-zero signal to detect slow echo based attacks.

Given the minimum subcarrier spacing min (f _n − f _m ) = 1 MHz, the distance to the slow echo follows the formula below.

The attack is called a slow echo attack. Ignoring the modulation of the subcarrier signal, the _{received carrier signal having the burst Tburst} and the rectangular transmit window of the subcarrier k is represented by the following equation.

Here, A ₁ can be the signal amplitude of the direct path, A ₂ can be the signal amplitude of the delayed echo, and w _k (t) can be the system noise. The noise-free signal envelope can be observed in FIG. 5, where FIG. 6 represents an exemplary signal envelope of a sum signal for different subcarriers.

As a countermeasure approach as the basis of the method for detecting relay attacks, the superimposed echo is 450 ns at a rate of 20 MHz (sampling interval 50 ns) and moderate sampling given at a minimum subcarrier interval of 1 MHz. It can be well detected with a delay Δτ for a larger first signal component. This may correspond to an estimated drop distance of 30 m if the attack is applied to both sides of the link and is associated with 9 time domain samples. Other responses are summarized in FIG.

FIG. 1 illustrates a method of determining a relay attack on an authentication system that grants permission to use a resource. It receives a signal from the authentication device (step 102), determines if at least two copies of the authentication signal are included in the signal (step 104), and at least two copies of the authentication signal are in the signal. If identifiable, it involves determining the relay attack based on a slow signal echo (step 106).

The new relay attack may already be detected by simply checking if two signals are likely to be detected. If two signals, which can be a direct signal and an echo signal, can be detected, there may be a new relay attack in progress.

Another embodiment further comprises receiving a signal from the authentication device of the vehicle access system.

The described method may be applied to a vehicle having a certification system to reduce the risk of unauthorized use of the vehicle.

In a further embodiment, the steps of determining whether the signal contains at least two copies of the authentication signal include at least power measurement of the signal sample, power calculation of the signal sample, phase step detection of the signal, and of the signal. Includes one of correlation analysis and super-resolution signal analysis.

If the signal contains more than one subcarrier, the detection of the two signals shall be by measuring either the amplitude of the subcarrier signal, or the phase of the subcarrier signal, or a combination of amplitude and phase of the subcarrier signal. Can be done. Furthermore, in the case of super-resolution signal analysis, correlation calculation or detection of multiple incident signals at different frequencies may be used. Having several different methods for determining if there are two detected signals can be an opportunity to compare the results of each method. In this way, the results can be verified using at least two methods.

In an additional example, power measurement of a signal sample involves averaging the signals on multiple subcarriers.

Detection of the two signals can be achieved by averaging the subcarrier signals with respect to their amplitude. If the average value is higher than a predetermined threshold, a relay attack may be detected. Averaging signals on multiple subcarriers results in a higher signal-to-noise ratio than a single subcarrier signal, a more accurate and reliable value for comparison to a given threshold. Is obtained.

Here, the power step must be a well-defined upper step of the received signal power in the delay of the second signal. This can be partially masked by noise and multipath, but is well detected in the expected high SNR scenarios at small distances between transceivers (where the system may naturally be of interest). It may be possible.

The power step can be detected at the same relative delay position Δτ on all subcarriers, thus allowing the subcarrier signal to gain SNR by averaging according to the metric m (t) of the following equation. Can be done.

Here, the noise term Wk (t) is given by the following equation.

ここでｎは電力ステップの位置であり、相対的遅延Δτを範囲τ_ｗｒａｐ／２からτ_ｗｒａｐ（１ＭＨｚの最小サブキャリア間隔に対して２５０ｎｓから５００ｎｓまでの範囲）の関連する遅延のみをテストすることで十分であり得る。 Here,'∀k' indicates all measurable subcarriers k.
At this time, the difference term is as follows.

Where n is the position of the power step and test the relative delay Δτ only for the relevant delays in the range τ _wrap / 2 to τ _wrap (range 250 ns to 500 ns for a minimum subcarrier interval of 1 MHz). Can be sufficient.

Alternatively, the samples to be compared may be averaged temporally as in the following equation using the average length (n-1) of the first interval and the average length L of the second interval.

The method of defining the threshold can be founded, for example, from a simulation or actual measurement that picks up an appropriate compromise between the detection probability and the false alarm probability from the experimental receiver operating characteristic (ROC).

In an optional embodiment, the power calculation of the signal sample comprises compensating for the subcarrier phase between the first and second subcarriers of the signal.

Due to the phase shift between the subcarriers, instead of averaging the subcarrier signals, the relative average phase of the subcarrier signals can be estimated first and then compensated. In this way, less effort is spent averaging calculations for multiple signals.

The relative average phase may be estimated first and then compensated for it.

次に、下記式に従ってテストされる。

または、付加的に、適切な平均化定数Ｌを用い、下記式のように平均化する。

The estimation for the first burst is performed according to the following equation.

Then, it is tested according to the following formula.

Alternatively, additionally, using an appropriate averaging constant L, averaging is performed as shown in the following equation.

Note that for all amplitude / power threshold tests, the threshold may be determined based on the power of the first sample (first signal plus noise) and the expected channel behavior. Also, natural echoes can cause similar effects, but natural echoes over long distances (multipath distances) considered between 15m and 60m (see Figure 7) are usually acceptable for authenticated access. At the distance (<10 m), the power is significantly reduced. Therefore, it can be assumed that the power step by natural echo is weaker.

According to one example, determining whether the signal contains at least two copies of the authentication signal involves detecting a phase discontinuity.

The phase discontinuity can be detected by phase step detection, where the phase of each subcarrier signal may be related instead of amplitude. Here, the average value may be compared with a predetermined threshold value. If the average value is higher than the threshold, a relay attack may be detected. In this way, the relay attack can be detected independently of the amplitude of the corresponding signal.

Besides the amplitude of the signal, the phase of the recorded signal can also be discontinuous due to the attack. For convenience, the related phases are represented by the following equations.

If the discontinuity of the phase (step Δφ = -2πf _k τ _prop) (with little or only) no, because the carrier phase changes may be intended effect attacker attacks itself is inefficient obtain.

相対的遅延（ｎ・Ｔ）が下記式を満たすかテストされる。

Therefore, the same detection can be applied to the absolute value.

It is tested whether the relative delay (n · T) satisfies the following equation.

Alternatively, the metric may result in a threshold test result of the following equation, including averaging the intervals of length L that satisfy L <n.

The threshold and exponent μ can be appropriately selected. The exponents μ = 1 and μ = 2 can already be good choices.

According to another embodiment, determining whether the signal contains at least two copies of the authentication signal can include combining power measurement and phase step detection.

Here, the detection may be based on both the amplitude and phase of the signal. The use of coupled metrics (amplitude and phase) allows more reliable detection of new relay attacks (see FIG. 8).

または、他の位相ステップ検出メトリックと振幅ステップ検出メトリックとの適切な組み合わせによっても攻撃は検出できる。 An improved method of detection can be based on a combination of an amplitude detector and a phase detector. For example, an attack can be detected if:

Alternatively, the attack can be detected by an appropriate combination of other phase step detection metrics and amplitude step detection metrics.

フェーザの弧を記述する小さいμ（＝１ｏｒ２）についての妥当な理論的基礎と組み合わされたメトリックの選択であってもよい。ここで、

はラジアンで与えられてもよい。 In addition, the metric expressed by the following formula is

It may be a choice of metrics combined with a valid theoretical basis for the small μ (= 1 or 2) that describes the phasor arc. here,

May be given in radians.

According to a further embodiment, the correlation analysis includes a step of correlating the received subcarrier signal with the transmitting subcarrier signal to determine an intermediate signal and a step of correlating the intermediate signal with the filter sequence.

By taking a double correlation and comparing the obtained metric with a predetermined threshold value, the existence of a relay attack can be determined with high reliability, and erroneous detection can be avoided.

Calculating the correlation is another way to determine the deterministic metric for the detection of remote echo attacks.

In the (equivalent) baseband, the processing block of a remote echo attack can have an impulse response.

この場合、関連する遅延範囲をわずかに超えてカバーする必要があるかもしれない。

As a result, attacks can be detected using double correlation. First, the received subcarrier message y _{k, n} = y _k (nT) may correlate with the transmitted subcarrier signal x _{k, n} (ie, convolve with the time inverse conjugate complex sequence of _{x k, n).} Can be rare).

In this case, it may be necessary to cover slightly beyond the relevant delay range.

ここで、

すべての合理的なシーケンスｈ^＊ _ｋをカバーするために、Ａ，Δτおよび代数符号 “±”（“＋”ｏｒ“−”）に従ってパラメータ化してもよい。Ａとτの妥当な範囲は下記の範囲である。

As a result, the intermediate signal may be correlated with the test filter sequence.

here,

To cover all reasonable sequences h ^* _k , parameters may be given according to A, Δτ and the algebraic code “±” (“+” or “−”). The reasonable range of A and τ is the following range.

The echo delay Δτ to be tested may be quantized in multiples of the sampling interval T. In this case, the metric for threshold comparison is obtained from the following equation.

The exponent μ may then be chosen from 1 and 2 (or another value tested to be advantageous). If the SNR-dependent threshold is exceeded, it favors the conclusion that it is an attack detection.

According to a further embodiment, the super-resolution signal analysis estimates at least one delay in the signal, calculates the power level for the delay, and determines that it is a relay attack if the power level exceeds a predetermined threshold. Including to do.

As an optional example, power levels are only evaluated for delays within the critical range.

Here, the plurality of incident signals may be detected at different frequencies. A signal having a delay in the critical range may be separated from a signal having a delay outside the critical range. Based on this selection, an algorithm may be applied to determine if the power level can be higher than a predetermined threshold that results in the detection of a relay attack. Less effort is required to assess power levels due to the fact that only delays within a critical predetermined range are further processed.

Specifically, the super-resolution method can detect a plurality of incident signals at different frequencies and is often used in the direction of arrival measurement. There, a frequency difference may occur across the antenna elements of the array depending on the angle of incidence (spatial frequency). For uniform linear array, the received signal y _m may have a proportionality.

Here, m is the index of the antenna element, θ is the angle with respect to the orthogonal component, λ = c ₀ / f is the wavelength, and Δ is the uniform antenna spacing.

In the current context, signals can be detected and separated, and in particular, signals with delays within the critical range can be separated from signals with delays outside the critical range. The received signal y _k may have proportionality.

In the case of equidistant spectrum sampling (uniform subcarrier grid), it may be the same as in the case of angle.

As a result, it is well known that the same methods for angles can be applied to detect multiple delays. Given a sufficient number of subcarriers (ie, a sufficient total bandwidth K · Δf) and a sufficient SNR, the MUSIC algorithm can separate near delays and therefore the first path and first path in the frequency domain. 2 routes can be detected. To do so, MUSIC may use N-time samples at a rate of 1 / T to determine the eigenvalue decomposition of the covariance matrix over the frequency dimensions.

ここでテスト信号は、下記式である。

After separating the eigenvector V into noise and signal subspace V = [V _noise , V _signal ] according to the size of the associated eigenvector (large eigenvalue: signal-small eigenvalue: noise), all associated delays are according to the following equation: May be tested.

Here, the test signal is given by the following equation.

The delay can be extracted from the maximum value of the test metric S (τ) (called the MUSIC spectrum).

ここで、さらに、

たとえば、１ＭＨｚの最小副搬送波間隔に対してτ_ｗｒａｐ＝５００ｎｓ．である。テストは、上記ベクトルｓ（τ）を用いて絶対値をチェックすることによって拡張されてもよい。

ここで、攻撃検出の結論付けに有利に働かせるため、Ａ（τ_ｐ）＞Ａ（τ_１）が臨界範囲内で検出されたτ_ｐに適用されてもよい。 The maximum value P can then be observed for the delay difference _{(relative to the first delay τ 1) in the critical range.} That is,

Here, further

_{For example, τ wrap} = 500 ns. For the minimum subcarrier spacing of 1 MHz. Is. The test may be extended by checking the absolute value using the vector s (τ) above.

_{Here, A (τ p} )> A (τ ₁ ) may be applied to _{τ p} detected within the critical range in order to favor the conclusion of attack detection.

FIG. 2 shows a receiver 221 configured to receive a signal from an authentication device, a detector 222 configured to determine if the signal contains at least two copies of the authentication signal, and authentication. Implementation of a relay attack detector 220 for determining a new relay attack, including a processor 223 configured to conclude that it is a new relay attack when at least two copies of the signal are identified in the signal. An example is shown.

In another embodiment, the detector 222 is configured to average the signal over a plurality of subcarriers in order to perform a power measurement of a sample of the signal.

Here, the power step must be a well-defined upper step of the received signal power in the delay of the second signal. This can be partially masked by noise and multipath, but is well detected in the expected high SNR scenarios at small distances between transceivers (where the system may naturally be of interest). It may be possible. The power step can be detected at the same position Δτ on all subcarriers, whereby the subcarrier signal can also allow SNR gain by averaging according to metrics. Alternatively, the compared samples may be averaged over time.

The method of defining the threshold can be founded, for example, from a simulation or real-world measurement that picks up an appropriate compromise between the detection probability and the false alarm probability from the experimental receiver operating characteristic (ROC).

In a further embodiment, the detector 222 is configured to compensate for the subcarrier phase between the first and second subcarriers of the signal in order to perform a power calculation of the signal sample. ..

Alternatively, instead of averaging the power samples, the relative average phase can be estimated first and then compensated for it.

Estimates are made for the first burst and then tested according to the threshold.

Note that for all amplitude / power threshold tests, the threshold may be determined based on the power of the first sample (first signal plus noise) and the expected channel behavior. Also, natural echoes can cause similar effects, but natural echoes over long distances (multipath distances) considered between 15m and 60m (see Figure 7) are usually acceptable for authenticated access. At the distance (<10 m), the power is significantly reduced. Therefore, it can be assumed that the power step by natural echo is weaker.

In an additional example, the detector 222 is configured to detect a phase discontinuity to determine if the signal contains at least two copies of the authentication signal.

Besides the amplitude of the signal, the phase of the recorded signal can also suffer discontinuity due to attack. In the absence of (or only slight) phase discontinuity, the attack itself can be inefficient, as changing the carrier phase can be the attacker's intended effect.

As an optional example, processor 223 is configured to combine power measurement with phase step detection to detect discontinuity (see FIG. 8).

An improved version of the detector 222 may be based on a combination of amplitude and phase detectors.

According to one example, processor 223 correlates the received subcarrier signal with the transmitted subcarrier signal to determine the intermediate signal and tests the intermediate signal according to the delay tested to perform the correlation analysis. It is configured to correlate with the filter sequence.

Calculating the correlation is another way to determine the deterministic metric for the detection of remote echo attacks.

In the (equivalent) baseband, the processing block of a remote echo attack can have an impulse response.

As a result, attacks can be detected using double correlation. First, the received subcarrier signal can be correlated with the transmitting subcarrier signal. The resulting intermediate signal may then be correlated with the test filter sequence according to _{h k (t, Δτ, A).}

According to another embodiment, the detector 222 is configured to detect a plurality of potential delays within a signal within the critical time range, and the processor 223 is such that the signal associated with the potential delay has no delay. If it has a given power level for the signal associated with, it is configured to determine if one of the potential delays is associated with a relay attack.

Super-resolution methods may detect multiple incident signals at different frequencies and may be frequently used in arrival direction measurements. There, a frequency difference may occur across the antenna elements of the array depending on the angle of incidence (spatial frequency).

In the current context, signals can be detected and separated, and in particular, signals with delays within the critical range can be separated from signals with delays outside the critical range. In the case of equidistant spectrum sampling (uniform subcarrier grid), it may be the same as in the case of angle.

As a result, it is well known that the same methods for angles can be applied to detect multiple delays. Given a sufficient number of subcarriers and a sufficient signal-to-noise ratio, the MUSIC algorithm can separate adjacent delays and thus detect first and second paths in the frequency domain.

エコー遅延に対して存在し得る。それにもかかわらず、限られた数の記録サンプルは、共分散行列のランクを増加させるために、空間平滑化および／または前方後方平均化を必要とし得る。古典的な平滑化アルゴリズムは、最大と最小との間、または少なくとも規則的なグリッドにおいて、すべての副搬送波上への信号の事前補間処理を必要とし得る。 For correlated echoes in subcarrier signals, it may be desirable to enhance them by anterior-posterior averaging, spatial smoothing, or a combination thereof, anterior-posterior spatial smoothing. The signal correlation of the subcarrier signal is less than the reciprocal of the total bandwidth, which can be the case for a Bluetooth-like signal that is well below the range of interest.

May be present for echo delay. Nevertheless, a limited number of recorded samples may require spatial smoothing and / or anterior-posterior averaging to increase the rank of the covariance matrix. Classical smoothing algorithms may require pre-interpolation of signals on all subcarriers between maximum and minimum, or at least in a regular grid.

The above reasoning is based on similar algorithms such as ESPRIT, as well as root MUSIC, Unitary ESPRIT, Matrix Pencil, etc. It may also be applied to similar related algorithms such as.

The computational processing of super-resolution algorithms can be expensive and unsuitable for low power / low cost equipment.

It may not be necessary to measure for every transmission, and a random combination of the measurements described can be applied if there are a sufficient number of narrowband measurements and sufficient coverage of the spectrum used.

In another embodiment, the authentication system 210 for granting permission to use the resource comprises a relay attack detector 220 so that processor 223 grants permission to use the resource if a new relay attack is not determined. Further configured.

In an additional example, the vehicle 200 comprises an authentication system 210 configured to allow access to the vehicle 200.

Further, a computer-executable program having program code such that when executed on a processor, a method of detecting a relay attack on an authentication system is executed is also an embodiment of the present disclosure.

Aspects and features referred to and described with one or more of the detailed examples and figures described above either to replace similar features in other examples or additionally introduce features into other examples. Therefore, it can be combined with one or more of the other examples.

An example may be, or is related to, a computer program that has program code to execute one or more of the above methods when the computer program is executed on a computer or processor. .. The steps, actions or processes of the various methods described above may be performed by a programmed computer or processor. Examples may also cover program storage devices such as digital data storage media that are machine, processor or computer readable and are instructions for machine executable, processor executable or computer executable programs. The instruction performs or causes some or all of the operations of the above method to be performed. The program storage device may include or may include, for example, a digital memory, a magnetic storage medium such as a magnetic disk and a magnetic tape, a hard drive, or an optically readable digital data storage medium. A further example is also a computer, processor, or control unit programmed to perform the operations described above, or a (field) programmable logic array ((F)) programmed to perform the operations described above. It can cover PLA) or (field) programmable gate arrays ((F) PGA).

The description and drawings merely illustrate the principles of the present disclosure. Moreover, all the examples listed herein are primarily to help the reader understand the principles of the present disclosure and the concepts contributed by the inventor to facilitate the art. It is explicitly intended to be for illustrative purposes only. All statements herein listing the principles, aspects, and examples of this disclosure, as well as specific examples thereof, are intended to include their equivalents.

A functional block, shown as a "means" for performing a function, can refer to a circuit configured to perform a function. Therefore, "means for th." Is implemented as "means for th." Such as a device or circuit configured or suitable for each business. obtain.

The functions of the various elements shown in the figure, including any functional blocks labeled "means", "means for providing a signal", "means for generating a signal", etc., are "signals". It may be implemented in the formation of dedicated hardware such as "provider", "signal processor", "processor", "controller", as well as hardware that can execute the software in relation to the appropriate software. When provided by a processor, functionality may be provided by a single dedicated processor, by a single shared processor, or by multiple individual processors, even if some or all of them are shared. good. However, the term "processor" or "controller" is not limited to hardware capable of running software, but digital signal processor (DSP) hardware, network processors, application-specific integrated circuits (ASIC), fields. It may include a programmable gate array (FPGA), read-only memory (ROM) for storing software, random access memory (RAM), and non-volatile storage. Other hardware, regular and / or custom, may also be included.

The block diagram can, for example, illustrate a high level schematic that implements the principles of disclosure. Similarly, flowcharts, flow diagrams, state transition diagrams, pseudo-codes, etc. can represent various processes, actions, or steps, which are effectively represented, for example, in computer-readable media, such computers. Or it may be run by a computer or processor, whether or not the processor is explicitly indicated. The methods disclosed in the specification or claims can be carried out by an apparatus having means for carrying out the actions of each of these methods.

Disclosure of multiple acts, processes, operations, steps or functions disclosed in a specification or claim shall be within a particular order, unless expressly or implicitly stated otherwise, for example for technical reasons. It should be understood that it is not interpreted as being. Therefore, disclosure of multiple actions or features does not limit them to a particular order if such actions or features are interchangeable for technical reasons. Further, in some embodiments, a single action, function, process, action, or step is divided into multiple sub-actions, multiple functions, multiple processes, multiple actions, or multiple steps, respectively. You may. Such sub-acts may be included in and part of the disclosure of this single act, unless expressly excluded.

Further, the following claims are incorporated in the detailed description, and each claim can be independent as another embodiment. While each claim can be independent as a separate embodiment, the dependent claims can refer to a particular combination with one or more other claims in the claims, while It should be noted that other embodiments may also include a combination of the dependent claims and the subject matter of each other dependent or independent claim. Such combinations are expressly proposed herein unless it is stated that no particular combination is intended. Furthermore, even if the claim is not directly dependent on the independent claim, it is intended to include the characteristics of the claim in other independent claims.

As a countermeasure approach as the basis of the method for detecting relay attacks, the superimposed echo is 450 ns at a rate of 20 MHz (sampling interval 50 ns) and moderate sampling given at a minimum subcarrier interval of 1 MHz. It can be well detected with a delay Δτ for a larger first signal component. This may correspond to an estimated drop distance of 15 m if the attack is applied to both sides of the link and is associated with 9 time domain samples. Other responses are summarized in FIG.

Besides the amplitude of the signal, the phase of the received signal can also be discontinuous due to the attack. For convenience, the related phases are represented by the following equations.

Besides the amplitude of the signal, the phase of the received signal can also suffer discontinuity due to attack. In the absence of (or only slight) phase discontinuity, the attack itself can be inefficient, as changing the carrier phase can be the attacker's intended effect.

エコー遅延に対して存在し得る。それにもかかわらず、限られた数の受信サンプルは、共分散行列のランクを増加させるために、空間平滑化および／または前方後方平均化を必要とし得る。古典的な平滑化アルゴリズムは、最大と最小との間、または少なくとも規則的なグリッドにおいて、すべてのサブキャリア上への信号の事前補間処理を必要とし得る。
For correlated echoes in subcarrier signals, it may be desirable to enhance them by anterior-posterior averaging, spatial smoothing, or a combination thereof, anterior-posterior spatial smoothing. The signal correlation of the subcarrier signal is less than the reciprocal of the total bandwidth, which can be the case for a Bluetooth-like signal that is well below the range of interest.

May be present for echo delay. Nevertheless, a limited number of received samples may require spatial smoothing and / or anterior-posterior averaging to increase the rank of the covariance matrix. Classical smoothing algorithms may require pre-interpolation of signals on all subcarriers between maximum and minimum, or at least in a regular grid.

Claims (20)

A method of determining a relay attack on an authentication system that allows the use of resources.
The step of receiving the signal from the authentication device and
A step of determining whether or not the signal contains at least two copies of the authentication signal,
A method comprising the step of determining a relay attack based on a delayed signal echo if the signal contains at least two copies of the authentication signal. The method of claim 1, further comprising receiving the signal from the authentication device of an automotive access system. The steps of determining whether at least two copies of the authentication signal are included in the signal include at least power measurement of the sample of the signal, power calculation of the sample of the signal, phase step detection of the signal, and of the signal. The method according to claim 1 or 2, which comprises one of a correlation analysis and a super-resolution signal analysis. The method of claim 3, wherein power measurement of the signal sample comprises averaging signals on a plurality of subcarriers. The method of claim 3, wherein the power calculation of the sample of the signal comprises compensating for the subcarrier phase between the first subcarrier and the second subcarrier of the signal. The method according to any one of claims 1 to 5, wherein the step of determining whether at least two copies of the authentication signal are included in the signal includes detecting a phase discontinuity. The method according to any one of claims 3 to 6, wherein the step of determining whether the signal contains at least two copies of the authentication signal comprises combining power measurement and phase step detection. The method according to claim 3, wherein the correlation analysis includes a step of correlating a received subcarrier signal with a transmitting subcarrier signal to determine an intermediate signal, and a step of correlating the intermediate signal with a filter sequence. The super-resolution signal analysis is a step of estimating at least one delay in the signal, a step of calculating the power level for the delay, and a relay attack when the power level exceeds a predetermined threshold. The method according to claim 3, which includes a step of determining. The method of claim 9, wherein the power level is evaluated only for delays within the critical range. With a receiver configured to receive signals from the authentication device,
With a detector configured to determine if at least two copies of the authentication signal are included in the signal.
A relay attack detector for determining a relay attack, comprising a processor configured to conclude that it is a relay attack if at least two copies of the authentication signal are identified in the signal. The relay attack detector according to claim 11, wherein the detector is configured to average the signals on a plurality of subcarriers in order to perform a power measurement of a sample of the signal. The detector is configured to compensate for a subcarrier phase between a first subcarrier and a second subcarrier of the signal in order to perform a power calculation of a sample of the signal. The relay attack detection device described in 1. 13. The relay attack detector described. The relay attack detection device according to any one of claims 11 to 14, wherein the processor is configured to combine a power measurement value with phase step detection for detecting discontinuity. The processor correlates the received subcarrier signal with the transmitted subcarrier signal to determine the intermediate signal and correlates the intermediate signal with the test filter sequence according to the delay tested to perform the correlation analysis. The relay attack detection device according to claim 11. The detector is configured to detect a plurality of potential delays within the signal within a critical time range, and the processor determines that the signal associated with the potential delay is relative to the signal associated with no delay. 11. The relay attack detector according to claim 11, which is configured to determine if one of the potential delays is associated with a relay attack if it has a power level of. The relay attack detection device according to any one of claims 11 to 17 is provided.
The processor is further configured to grant permission to use the resource if no relay attack is detected.
An authentication system for granting permission to use resources. A vehicle equipped with the authentication system according to claim 18, which is configured to give access to the vehicle. A computer program having a program code for causing a processor to execute the method according to any one of claims 1 to 10.

Images